D-Link NetDefend DFL-210 User Manual page 235

6.2.8. The SIP ALG
3. Define three rules in the IP rule set:
• A NAT rule for outbound traffic from the local proxy and the clients on the internal network
to the remote clients on, for example, the Internet. The SIP ALG will take care of all
address translation needed by the NAT rule. This translation will occur both on the IP level
and the application level. Neither the clients or the proxies need to be aware that the local
clients are being NATed.
If Record-Route is enabled on the SIP proxy, the source network of the NAT rule can
include only the SIP proxy, and not the local clients.
• A SAT rule for redirecting inbound SIP traffic to the private IP address of the NATed local
proxy. This rule will have core as the destination interface (in other words NetDefendOS
itself) since inbound traffic will be sent to the private IP address of the SIP proxy.
• An Allow rule which matches the same type of traffic as the SAT rule defined in the
previous step.
OutboundFrom
ProxyUsers
InboundTo
ProxyAndClients
InboundTo
ProxyAndClients
If Record-Route is enabled then the Source Network for outbound traffic from proxy users can be
further restricted in the above rules by using "ip_proxy" as indicated.
When an incoming call is received, the SIP ALG will follow the SAT rule and forward the SIP
request to the proxy server. The proxy will in turn, forward the request to its final destination which
is the client.
If Record-Route is disabled at the proxy server, and depending on the state of the SIP session, the
SIP ALG may forward inbound SIP messages directly to the client, bypassing the SIP proxy. This
will happen automatically without further configuration.
Solution B - Without NAT
Without NAT, the outbound NAT rule is replaced by an Allow rule. The inbound SAT and Allow
rules are replaced by a single Allow rule.
OutboundFrom
Proxy&Clients
InboundTo
Proxy&Clients
If Record-Route is enabled then the networks in the above rules can be further restricted by using
"(ip_proxy)" as indicated.
Scenario 3
Protecting proxy and local clients - Proxy on the DMZ interface
This scenario is similar to the previous but the major difference is the location of the local SIP proxy
server. The server is placed on a separate interface and network to the local clients. This setup adds
an extra layer of security since the initial SIP traffic is never exchanged directly between a remote
endpoint and the local, protected clients.
Action Src Interface
NAT lan
SAT wan
SETDEST
ip_proxy
Allow wan
Action Src Interface
Allow lan
Allow wan
235
Chapter 6. Security Mechanisms
Src Network Dest Interface
lannet wan
(ip_proxy)
all-nets core
all-nets core
Src Network Dest Interface
lannet wan
(ip_proxy)
all-nets lan
Dest Network
all-nets
wan_ip
wan_ip
Dest Network
all-nets
lannet
(ip_proxy)